Is it possible to implement event filtering (and/or routing) in a managed Splunk Cloud deployment without the usage of an on-prem Heavy Forwarder?
The scenario is:
- Running a managed Splunk Cloud instance
- Need to ingest AWS Cloudtrail logs (preferably using the "AWS Add-on" app and configure a SQS-Based S3 input)
- Need to filter out the majority of Cloudtrail events before they hit the Index and so impact the license
- (Critical requirement) Need to avoid "external" self-managed components like Heavy Forwarders (main reason to get a managed Cloud instance)
If the answer is no, I am also open to other suggestions.
Note: I am aware that AWS Add-on allows to setup a "Generic S3" input for Cloudtrail that implements "in-line" event blacklisting. Unfortunately this is not an option in my scenario as the input type is way too heavy on S3 operations.
... View more